From owner-svn-src-all@freebsd.org Tue Jul 28 16:10:53 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 217A336E1D3; Tue, 28 Jul 2020 16:10:53 +0000 (UTC) (envelope-from gbe@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BGM9859R2z4ZjP; Tue, 28 Jul 2020 16:10:52 +0000 (UTC) (envelope-from gbe@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 136D611A35; Tue, 28 Jul 2020 16:10:52 +0000 (UTC) (envelope-from gbe@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 06SGApWw027761; Tue, 28 Jul 2020 16:10:51 GMT (envelope-from gbe@FreeBSD.org) Received: (from gbe@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 06SGApIP027760; Tue, 28 Jul 2020 16:10:51 GMT (envelope-from gbe@FreeBSD.org) Message-Id: <202007281610.06SGApIP027760@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gbe set sender to gbe@FreeBSD.org using -f From: Gordon Bergling Date: Tue, 28 Jul 2020 16:10:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r363651 - stable/12/lib/geom/eli X-SVN-Group: stable-12 X-SVN-Commit-Author: gbe X-SVN-Commit-Paths: stable/12/lib/geom/eli X-SVN-Commit-Revision: 363651 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2020 16:10:53 -0000 Author: gbe (doc committer) Date: Tue Jul 28 16:10:51 2020 New Revision: 363651 URL: https://svnweb.freebsd.org/changeset/base/363651 Log: MFC r363363, r363416: geli(8): new example with file based storage r363363: geli(8): Add an example on how to use geli(8) with a file as encrypted storage Reviewed by: bcr (mentor) Approved by: bcr (mentor) Differential Revision: https://reviews.freebsd.org/D25741 r363416: geli(8): Add missing commands in the EXAMPLES section Reported by: Fabian Keil Reviewed by: bcr (mentor) Approved by: bcr (mentor) Differential Revision: https://reviews.freebsd.org/D25761 Modified: stable/12/lib/geom/eli/geli.8 Directory Properties: stable/12/ (props changed) Modified: stable/12/lib/geom/eli/geli.8 ============================================================================== --- stable/12/lib/geom/eli/geli.8 Tue Jul 28 16:08:14 2020 (r363650) +++ stable/12/lib/geom/eli/geli.8 Tue Jul 28 16:10:51 2020 (r363651) @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 19, 2020 +.Dd July 22, 2020 .Dt GELI 8 .Os .Sh NAME @@ -1094,6 +1094,66 @@ resuming the laptop: # geli resume gpt/private Enter passphrase: .Ed +.Pp +To create a +.Nm +encrypted filesystem with a file as storage device follow this example. +First a file named private0 is created in +.Pa /usr +and attached as a memory disk like +.Pa /dev/md0 +for example. +.Bd -literal -offset indent +# dd if=/dev/zero of=/usr/private0 bs=1m count=256 +# chmod 0600 /usr/private0 +# mdconfig -t vnode -f /usr/private0 +.Ed +.Pp +It is recommended to place the following line in +.Xr rc.conf 5 +to have the memory disk automatically created during boot. +.Bd -literal -offset indent +mdconfig_md0="-t vnode -f /usr/private0" +.Ed +.Pp +After +.Pa /dev/md0 +is created a random key has to be generated and stored in a secure location, +like +.Pa /root +for example. +This key should be protected by a passphrase, which +is requested when geli init is called. +.Bd -literal -offset indent +# dd if=/dev/random of=/root/private0.key bs=64 count=1 +# geli init -K /root/private0.key -s 4096 /dev/md0 +Enter new passphrase: +Reenter new passphrase: +# geli attach -k /root/private0.key /dev/md0 +Enter passphrase: +# dd if=/dev/random of=/dev/md0.eli bs=1m +.Ed +.Pp +Once the initialization of the +.Pa /dev/md0.eli +device is ready create a UFS filesystem and mount it for example in +.Pa /private . +.Bd -literal -offset indent +# newfs /dev/md0.eli +# mount /dev/md0.eli /private +.Ed +.Pp +After a system reboot the +.Nm +device can be mounted again with the following commands. +The call of geli attach will ask for the passphrase. +It is recommended to do this procedure after the boot, because otherwise +the boot process would be waiting for the passphrase input. +.Bd -literal -offset indent +# geli attach -k /root/private0.key /dev/md0 +Enter passphrase: +# mount /dev/md0.eli /private +.Ed .Sh ENCRYPTION MODES .Nm supports two encryption modes: @@ -1156,7 +1216,9 @@ block cipher was implemented by Yoshisato Yanagisawa i .Pp Highest .Nm GELI -metadata version supported by the given FreeBSD version: +metadata version supported by the given +.Fx +version: .Bl -column -offset indent ".Sy FreeBSD" ".Sy version" .It Sy FreeBSD Ta Sy GELI .It Sy version Ta Sy version